My Oracle Support Banner

Why is an OAUTH2 Client Able to Access a Resource For Which it Does Not Have a Role Specified in the Privilege Protecting it? (Doc ID 2972420.1)

Last updated on SEPTEMBER 05, 2023

Applies to:

Oracle REST Data Services - Version 23.1 and later
Information in this document applies to any platform.

Goal

Given 2 ORDS resources: <res1> protected by privilege <priv1> and <res2> protected by privilege <priv2>

<priv1> has no roles defined, <priv2> has <role2> role,

Oauth2 <client1> is defined for resource <res1>, Oauth2 <client2> is defined for <res2>,

And the test case:

<client2> generates a token in order to access <res2>, and <client2> is authorized on <res2>, however, the same token is valid for accessing <res1>,

The Goal is to explain why <client2> is able to access <res1> for which has no role enumerated.

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.